Embed Size (px)
Asim A. Sheikh B.A., LL. M.
Barrister-at-Law
Lecturer in Legal MedicineForensic and Legal Medicine
Faculty of Medicine, University College Dublin
Role of Law in the Regulation of Science, Medicine & Technology:
Medical Research, Public Health & Data Protection & Law
Promoting Health Research & Protecting Patient Rights
Office of the Data Protection Commissioner29th November, 2006
Role of Law in the Regulation of Science, Medicine & TechnologyRole of Law in the Regulation of Science, Medicine & Technology
Role of LawRole of Law– prevention of harmprevention of harm– protection of societyprotection of society– provision of certaintyprovision of certainty– standards of carestandards of care– Adversarial system – objective forum of exposureAdversarial system – objective forum of exposure
Role of Science, Medicine & Technology– progress / amelioration of quality of life?progress / amelioration of quality of life?
““Why is progress a prerequisite reserved almost exclusively for Why is progress a prerequisite reserved almost exclusively for the activities we call science?...Does a field make progress the activities we call science?...Does a field make progress because it is a science, or is it a science because it makes because it is a science, or is it a science because it makes
progress?”progress?”Kuhn TS. The Structure of Scientific Revolutions
PARADIGM SHIFTNormal Science
1
New Paradigm
2
People work within the parameters of theparadigm, indulging in 'Puzzle-Solving'.
Occurs as a result a reconstruction of the original field from new fundamentals, changing the field's initial theory, methods and applications.
Paradigm Shifts require guidance of the Law to ensure smooth transition from one paradigm to next
The Law and Kuhn's
Critique
Interface of Law, Science & MedicineInterface of Law, Science & Medicinesome examplessome examples
Medical Practitioners Act
Diamond v. Chakrabarty (US - 1980) - living matter is patentable
EC Directive: 98/44/EC; On the Legal Protection of Biotechnological
Inventions
Clinical Trials Acts 1987, 1990, Clinical Trials Directive
Human Fertilisation and Embryology Act (UK – 1990)
Best v. Wellcome Foundation Ltd (Ire – 1993) - pertussis vaccine -
scientific evidence
DNA Evidence cases
Grimes v Kennedy Krieger Institute (Maryland, US – 2000) – consent
in children – non-therapeutic medical research and RECs
Safety, Health and Welfare at Work Act, 2005 and regulations
(biological, chemical)
““...it seems to me imperative that the moral, social ...it seems to me imperative that the moral, social and legal issues raised by this case should be and legal issues raised by this case should be
considered by Parliament. The judges’ function considered by Parliament. The judges’ function in this area of the law should be to apply the in this area of the law should be to apply the
principles which society through the democratic principles which society through the democratic process, adopts, not to impose their standards on process, adopts, not to impose their standards on
society. If Parliament fails to act, then judge-society. If Parliament fails to act, then judge-made law will of necessity through a gradual and made law will of necessity through a gradual and uncertain process provide a legal answer to each uncertain process provide a legal answer to each
new question as it arises.”new question as it arises.”
Lord Browne-Wilkinson in Lord Browne-Wilkinson in Airedale NHS Trust v. BlandAiredale NHS Trust v. Bland
[1993] All ER 821[1993] All ER 821
The Tort SystemThe Tort SystemThe Tort SystemThe Tort System
The TortSystem
Clinical Negligence
Litigation
Judgment
Principlesof
RiskManagement
Ideals of Law in MedicineIdeals of Law in Medicine
Self-determination
Consent
Best interests of patient
Full disclosure of information
Protection of Privacy and
Confidentiality
Data ProtectionData Protection
Background I: General Concerns
Increased Activity in non-statutory medical research
Concerns over patient data Freedom of Information Change to electronic patient records
(EPR) Change in Data protection law Increased move toward embracing of
consent doctrine in clinical practice
“As the information society proceeds apace, public unease about new technologies needs to be firmly laid to rest…This survey shows
that public anxieties are, if anything, on the increase.” Joe Meade, DP Commissioner, 2003
Background II: Law Constitution Universal Declaration on Human Rights, 1948 European Convention on Human Rights, 1950 Council of Europe Convention on Data Protection, 1981 Data Protection Act, 1988 Freedom of Information Act, 1997-2003 Convention on Human Rights and Biomedicine, 1997 EU Directive on Data Protection, 1995 and Data Protection
(Amendment) Act 2003 European Recommendation No R (97) 5 on the Protection of
Medical Data (Council of Europe, Committee of Ministers), 13/2/97
Convention on Human Rights Act, 2003 Ethical & Legal Doctrine of Confidentiality Common Law
European Convention on Human Rights
Everyone has the right to respect for his private life
and family life, his home and correspondence
There shall be no interference by a public authority
with the right except such as is necessary in a
democratic society in the interests of national
security, public safety or the economic well-being of
the country, for the prevention of disorder or crime,
for the protection of morals, or for the protection of
the rights and freedoms of others.
The Irish Constitution & Privacy
The Irish Constitution does not expressly provide
for a Constitutional right to privacy
However, Irish case law provides authority which
indicates that the citizen may invoke the personal
rights provisions of Article 40.3.1 of the
Constitution so as to require the State to protect
and vindicate the citizen’s right to constitutional
privacy:
Kennedy v. Ireland [1987]
Chapter III – Private life and right to informationArticle 10 – Private life and right to information
1. Everyone has the right to respect for private life in relation to information about his or her health;
2. Everyone is entitled to know any information collected about his or her health. However, the wishes of individual not to be so informed shall be observed;
3. In exceptional cases, restrictions may be placed by law on the exercise of the rights contained in paragraph 2 in the interests of the patient.
Convention for the Protection of Human Rights and Dignityof the Human Being with regard
to the Application of Biology and Medicine:Convention on Human Rights and Biomedicine, 1997
“There can be no exceptions to the ordinary requirements of disclosure in the case of research as there may well be in ordinary
medical practice. The researcher does not have to balance the probable effect of lack of treatment against the risk involved in the
treatment itself. The example of risks being properly hidden from a patient where it is
important that he should not worry can have no application in the field of research. The subject of medical experimentation is entitled to full and frank disclosure of all the facts, probabilities and
opinions which a reasonable man might be expected to consider before giving his consent.”
Halushka v. University of Saskatchewan (1965)
Dis
clo
su
re in
Med
ical
Researc
h
The Nuremberg CodeThe Nuremberg Code
“The voluntary consent of the human subject
is absolutely essential... and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding
and enlightened decision. This latter element requires that before the acceptance
of an affirmative decision by the experimental subject there should be made
known to him the nature, duration, and purpose of the experiment ”
The Helsinki DeclarationThe Helsinki Declaration
Article 1Article 1
“The World Medical Association has developed the Declaration of Helsinki as a statement of ethical principles to provide
guidance to physicians and other participants in medical research involving
human subjects. Medical research involving human subjects includes research on
identifiable human material or identifiable data.”
The Helsinki DeclarationThe Helsinki Declaration
Article 22Article 22
““In any research on human beings, each In any research on human beings, each potential subject must be adequately potential subject must be adequately
informed of the aims, methods, sources of informed of the aims, methods, sources of funding, any possible conflicts of interest, funding, any possible conflicts of interest, institutional affiliations of the researcher, institutional affiliations of the researcher,
the anticipated benefits and potential risks the anticipated benefits and potential risks of the study and the discomfort it may of the study and the discomfort it may
entail…”entail…”
The Helsinki The Helsinki DeclarationDeclaration
“...The subject should be informed of the right to abstain from participation in the
study or to withdraw consent to participate at any time without reprisal. After ensuring
that the subject has understood the information, the physician should then
obtain the subject's freely-given informed consent, preferably in writing…”
Case Law
Geoghegan v. Harris (2000, HC)
R v. Department of Health, ex parte Source Informatics Ltd [2000]
Durant v. FSA (CA) [2003]
– Change from importance of use of information to maintenance of anonymity of information?
Processing means performing any operation or set of operations on data including:
– obtaining, recording or keeping the data
– collecting, organising, storing, altering or adapting the data
– retrieving, consulting or using the data
– disclosing the data by transmitting, disseminating or otherwise making it available
– aligning, combining, blocking, erasing or destroying the data.
Section 2: Protection of Privacy of Individuals with regard to Personal Data (1st STEP) - General Obligations
In relation to Personal Data (PD) a DC will ensure that that data shall:(a) be processed fairly(b) be accurate and complete and, where necessary, kept up to date,(c) The data shall:
– (i) be kept only for one or more specified, explicit and legitimate purposes,
– (ii) not be further processed in a manner incompatible with that purpose or those purposes,
– (iii) be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
– (iv) not be kept for longer than is necessary for that purpose or those purposes
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network
1st Exemption - s2(5)Previous paragraphs (ii) & (iv)
(a) “do not apply to personal data kept for statistical or research or
other scientific purposes, and the keeping of which complies with such
requirements (if any) as may be prescribed for the purpose of
safeguarding the fundamental rights and freedoms of data subjects…
And
(b) “the data or, as the case may be, the information constituting such
data shall not be regarded for the purposes of paragraph (a) of the said
subsection as having been obtained unfairly by reason only that its use
for any such purpose was not disclosed when it was obtained,
if the data are not used in such a way that damage or distress is, or is
likely to be, caused to any data subject
Ramifications for personal data for a
secondary use
Seems to be case – data could be used
for a secondary purpose – not first
considered
But such secondary use – cannot cause
harm or distress to data subject
What are the basics of ‘fair processing’?
In section 2D – when obtaining data from Data Subject
– the identity of the data controller
– the purpose in collecting the data
– the persons or categories of persons to
whom the data may be disclosed
– any other information which is necessary
so that processing may be fair
If not obtaining information from data subject but from another source then:
Data Subject should know:– Identity of representative of DC and name of original
DC– Categories of data concerned
However: if this is for purposes of historic/scientific research and this information would be impossible to get or involve a disproportionate effort
– Then DPC can lay down conditions
PD shall NOT be processed unless - Fulfill S2 requirements and 1 of the following: the data subject must have given consent to the processing or the processing must be necessary for one of the following reasons -
– the performance of a contract to which the data subject is party– in order to take steps at the request of the data subject prior to– entering into a contract– compliance with a legal obligation, other than that imposed by contract– to prevent injury or other damage to the health of a data subject– to prevent serious loss or damage to property of the data subject– to protect the vital interests of the data subject where the seeking of
the consent of the data subject is likely to result in those interestsbeing damaged
– for the administration of justice– for the performance of a function conferred on a person by or under
an enactment– for the performance of a function of the Government or a Minister of
the Government– for the performance of any other function of a public nature– performed in the public interest by a person
Section 2A: Processing of Personal Data(2nd STEP)
Section 2B: Processing of Sensitive Personal Data(3rd STEP)
SPD shall NOT be processed unless - Fulfill S2 & S2A requirements and 1 of the following:
the data subject’s consent is explicitly given; the processing must be necessary for:
– for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment
– to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where, consent cannot be given, or the data controller cannot reasonably be expected to obtain such consent
– to prevent injury to, or damage to the health of, another person, or serious loss in respect of or damage to, the property of another person, in a case where such consent has been unreasonably withheld
– it is carried out by a not for profit organisation in respect of its members or other persons in regular contact with the organisation
– the information being processed has been made public as a result of steps deliberately taken by the data subject
– for the purpose of obtaining legal advice, or in connection with legal proceedings, or is necessary for the purposes of establishing, exercising or defending legal rights
– for medical purposes – undertaken by a health professional– is carried out by political parties or candidates for election in the context of an election– for the purpose of the assessment or payment of a tax liability– in relation to the administration of a Social Welfare scheme.
2nd
Ex
3rd
Ex
‘Medical Purposes & Health Professional’ 2nd Exemption (Research Exemption)
Defined as:
“‘medical purposes’ includes the purpose of preventive medicine, medical
diagnosis, medical research, the provision of care and treatment and the
management of healthcare services.”
“‘health professional’ includes a registered medical practitioner, within the
meaning of the Medical Practitioners Act, 1978, a registered dentist, within
the meaning of the Dentists Act, 1985, or a member of any other class of
health worker or social worker standing specified by regulations made by the
Minister after consultation with the Minister for Health and Children and any
other Minister of the Government who, having regard to his or her functions,
ought, in the opinion of the Minister, to be consulted”
3rd Exemption - s2B(1)(b)(xi)
Where:
“…processing is authorised by regulations that are made by
the Minister and are made for reasons of substantial public
interest.”
……then sensitive personal data can be processedthen sensitive personal data can be processed
4th Exemption - s2D(4)
Where giving of information to a data subject in relation to
the purpose/s of the data when that data is for the purposes
of historical or scientific research and “the provision of the
information specified therein proves impossible or would
involve a disproportionate effort…”
……then that information does not have to be giventhen that information does not have to be given
s4(4)-DC cannot disclose info about a 3rd party unless 3rd party consents, unless identity can be omitted and 3rd party is rendered unidentifiable
1.1. Data must be processed, fairly – which means that a data subject Data must be processed, fairly – which means that a data subject should know the following:should know the following:
(a)(a) the identity of the data controller or a nominated a representative the identity of the data controller or a nominated a representative (b) the purpose or purposes for which the data are intended to be (b) the purpose or purposes for which the data are intended to be
processed, andprocessed, and(c)(c) any other information which is necessary to enable processing in any other information which is necessary to enable processing in
respect of the data to be fair to the data subject such as information respect of the data to be fair to the data subject such as information about the recipients of the data (s2D)about the recipients of the data (s2D)
In this section of the Act, the data subject is not required to give In this section of the Act, the data subject is not required to give consent. It is the data controller who must provide informationconsent. It is the data controller who must provide information
if data is being obtained from someone or somewhere other than the data if data is being obtained from someone or somewhere other than the data subject, then, the data subject should be informed of the above information subject, then, the data subject should be informed of the above information and the identity of the original data controller and the category of data and the identity of the original data controller and the category of data before the information is processed or if to be disclosed to a third party, before the information is processed or if to be disclosed to a third party, before such disclosure. In scientific research if the provision of this before such disclosure. In scientific research if the provision of this information is impossible or involves a disproportionate effort, then it would information is impossible or involves a disproportionate effort, then it would not have to be disclosed if conditions laid down by the Minister are met not have to be disclosed if conditions laid down by the Minister are met (currently non such exist) (s2D4).(currently non such exist) (s2D4).
2.2. Data must be accurate, complete and, where necessary, kept up Data must be accurate, complete and, where necessary, kept up to date, kept only for one or more specified, explicit and to date, kept only for one or more specified, explicit and legitimate purposes. The data shall not be further processed in a legitimate purposes. The data shall not be further processed in a manner incompatible with that purpose or those purposes, shall manner incompatible with that purpose or those purposes, shall be adequate, relevant and not excessive in relation to the be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further purpose or purposes for which they were collected or are further processed, and shall not be kept for longer than is necessary for processed, and shall not be kept for longer than is necessary for that purpose or those purposes (s2).that purpose or those purposes (s2).
However, the use of data for secondary purposes in scientific However, the use of data for secondary purposes in scientific research is permitted and would not be regarded as ‘unfair research is permitted and would not be regarded as ‘unfair processing’ even though such secondary use was not initially processing’ even though such secondary use was not initially disclosed if (i) any prescribed requirements are complied with to disclosed if (i) any prescribed requirements are complied with to safeguard the fundamental rights and freedoms of the data safeguard the fundamental rights and freedoms of the data subject and (ii) the data are not used in such a way that damage subject and (ii) the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject or distress is, or is likely to be, caused to any data subject (s2(5)). (s2(5)).
In this section of the Act also, the data subject is not required to In this section of the Act also, the data subject is not required to give consent. It is the data controller who must provide give consent. It is the data controller who must provide information).information).
3.3. Adequate security measures must be taken to protect data.Adequate security measures must be taken to protect data.
4.4. Personal Data (identifiable data) shall not be processed unless Personal Data (identifiable data) shall not be processed unless s2 is complied with and 1 additional requirement of s2A is met.s2 is complied with and 1 additional requirement of s2A is met.
This could be the data subject giving his/her consent to the This could be the data subject giving his/her consent to the processingprocessing
(Article 7 of the Directive uses the words ‘unambiguous (Article 7 of the Directive uses the words ‘unambiguous consent’ and in article 2(h), consent is defined as “…consent’ and in article 2(h), consent is defined as “…any freely any freely given specific and informed indication of his wishes by which given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data.”)the data subject signifies his agreement to personal data.”) or or instead,instead,
if one of number of other conditions were met. However, apart if one of number of other conditions were met. However, apart from the consent condition, none of these would seem to be from the consent condition, none of these would seem to be relevant to medical research or public health (except when the relevant to medical research or public health (except when the processing is required to protection the vital health interests of processing is required to protection the vital health interests of a data subject or in the public interest) and thus, for personal a data subject or in the public interest) and thus, for personal medical data (identifiable), consent must be given (s2A).medical data (identifiable), consent must be given (s2A).
5.5. Sensitive Personal Data (health/medical data) Sensitive Personal Data (health/medical data) shall not be processed unless in addition to shall not be processed unless in addition to satisfying the conditions of sectionssatisfying the conditions of sections 2 and 2(A), at 2 and 2(A), at least one of the additional listed conditions is also least one of the additional listed conditions is also met.met.
This could be the data subject giving his/her This could be the data subject giving his/her consent explicitly to the processing or instead if consent explicitly to the processing or instead if one of a number of other conditions are met. one of a number of other conditions are met.
Here the one of most note is the processing of Here the one of most note is the processing of data for medical purposes which includes medical data for medical purposes which includes medical research (‘medical research exemption’) (and research (‘medical research exemption’) (and also to protect the vital health interests of a data also to protect the vital health interests of a data subject or in the public interest) (s2B). subject or in the public interest) (s2B).
Medical Research Concerns
Issue of explicit consent – e.g. in epidemiological studies
Secondary use of data
Issue of Anonymisation
Issue of data protection policies
There are no consistent guidelines in EU member states. Some have
opted for a more, seemingly, liberal approach, for example, Sweden, in the
application of the medical research exemption.
Others however, such as France and Germany, have opted for a less
liberal approach.
The lack of consistency has not helped in the interpretation of the
Directive.
““A blanket requirement for A blanket requirement for anonymisation of data, as well as anonymisation of data, as well as informed consent from all individuals informed consent from all individuals to use identifiable data about them, to use identifiable data about them, would jeopardise the methodological would jeopardise the methodological integrity of research and audit. This integrity of research and audit. This would not just hinder the progress of would not just hinder the progress of medical knowledge but might lead to medical knowledge but might lead to completely incorrect conclusions. This completely incorrect conclusions. This would be against the public interest would be against the public interest and make the process of clinical and make the process of clinical governance impossible…” governance impossible…” BMJ 2000 “…it would appear that the Directive will, in
many circumstances, shift the balancein favour of obtaining clearer, more
unambiguousConsent from individuals than
has been the case up to now.” DP Commissioner, 2002
““Consent has a role to play but it does not emerge as a trump card. Consent has a role to play but it does not emerge as a trump card. Indeed some might argue that the broad and indistinct Indeed some might argue that the broad and indistinct
categories of justifications for processing without consent categories of justifications for processing without consent potentially weaken the protection that is afforded to potentially weaken the protection that is afforded to
informational privacy interests. The model, however, is, as informational privacy interests. The model, however, is, as always, a search for a balance and few could deny that privacy always, a search for a balance and few could deny that privacy protection showed sometimes bow to other interests. But the protection showed sometimes bow to other interests. But the devil is in the detail of determining which interest should be devil is in the detail of determining which interest should be
weighed in the balance and how far privacy should be weighed in the balance and how far privacy should be compromised in any given case. The example of research is compromised in any given case. The example of research is
particularly apt. Some member states, for example Denmark particularly apt. Some member states, for example Denmark and Austria, allow research on secondary uses of patient data, and Austria, allow research on secondary uses of patient data,
that is, uses beyond those for which the data were first that is, uses beyond those for which the data were first obtained, without the need for patient consent so long as the obtained, without the need for patient consent so long as the
national data protection office gives prior approval. The United national data protection office gives prior approval. The United Kingdom also has mechanisms for allowing research using Kingdom also has mechanisms for allowing research using
patient data subject to rigorous review…It is to be noted with patient data subject to rigorous review…It is to be noted with some regret, however, that a culture of caution has grown up some regret, however, that a culture of caution has grown up
around the workings of the Data Protection Act such that there is around the workings of the Data Protection Act such that there is a widespread belief that the law now hinders research.a widespread belief that the law now hinders research.
In the main, we consider this to be unfounded.”In the main, we consider this to be unfounded.”
Mason & Laurie, Law & Medical Ethics (2006)
Two general categories of data require to be considered:Two general categories of data require to be considered:
– (a) retrospective/archived/historical data (where consent for the (a) retrospective/archived/historical data (where consent for the current use was never obtained or is inadequate) andcurrent use was never obtained or is inadequate) and
– (b) prospective/future data, for which, how and what type of (b) prospective/future data, for which, how and what type of consent should be obtained needs to be discussed.consent should be obtained needs to be discussed.
In relation to the former, the questions that arise are:In relation to the former, the questions that arise are:
– (i) when does a researcher require to re-obtain consent (where the (i) when does a researcher require to re-obtain consent (where the data is identifiable) and if this cannot be obtained (due to data is identifiable) and if this cannot be obtained (due to impossibility/disproportionate effort) can the research progress?impossibility/disproportionate effort) can the research progress?
– (ii) Can the researcher continue carry out the research by (ii) Can the researcher continue carry out the research by anonymising the data and if so, who should anonymise this data?anonymising the data and if so, who should anonymise this data?
– (iii) If the research would prove futile by anonymisation can it be (iii) If the research would prove futile by anonymisation can it be pseudo-anonymised and (iv) what onus is there on a research pseudo-anonymised and (iv) what onus is there on a research ethics committee to ensure that the research proposal is in ethics committee to ensure that the research proposal is in accordance with the Data Protection Act?accordance with the Data Protection Act?
The exemptions exist for reason, however,The exemptions exist for reason, however, do not allow data controllers to by-pass their do not allow data controllers to by-pass their
obligations to ensure that prior to health and personal obligations to ensure that prior to health and personal data, being processed, a subject:data, being processed, a subject:– (i) is given information in relation to their data and(i) is given information in relation to their data and– (ii) in certain circumstances, gives his/her consent prior to the (ii) in certain circumstances, gives his/her consent prior to the
processing of their data.processing of their data.
Other practitioners, whilst discussing the concerns, Other practitioners, whilst discussing the concerns, have also stated that:have also stated that:
“…“…health professionals need to understand health professionals need to understand current anxieties about the ways in which health current anxieties about the ways in which health
information is handled; they need to learn the information is handled; they need to learn the rules and apply them and accept that unfettered rules and apply them and accept that unfettered access to personal health information is a thing access to personal health information is a thing of the past and that, among the many tools they of the past and that, among the many tools they
need for modern clinical practice are those of need for modern clinical practice are those of skilled information management.”skilled information management.”
Chalmers and Muir, “Patient privacy and confidentiality: The debate goes on; the issues are complex, but a consensus is emerging.” BMJ,
2003;326:725–6, 2003)
Data Protection Principles
1 Personal data shall be processed fairly and lawfully and, in particular,shall not be processed unless:(a) The conditions of section 2 are satisfied and (b) at least one of the conditions in s 2A is met, and(c) in the case of sensitive personal data, at least one of the conditions
in s 2B is also met. 2 Personal data shall be obtained only for one or more specified andlawful purposes, and shall not be further processed in any mannerincompatible with that purpose or those purposes. 3 Personal data shall be adequate, relevant and not excessive inrelation to the purpose or purposes for which they are processed. 4 Personal data shall be accurate and, where necessary, kept up to date. 5 Personal data processed for any purpose or purposes shall not bekept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights
of data subjects under this Act.
7 Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage to,
personal data.
8 Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or
Territory ensures an adequate level of protection for the rights
And freedoms of data subject in relation to the processing of
personal data.
Moving forwardBest Practice Models?
Moving forwardBest Practice Models?
MR
C G
uid
elin
es,
20
00
Learn
ing
from
Exp
erie
nce
,Priv
acy
& th
e S
eco
nd
ary
Use
of
Data
in H
ealth
Rese
arch
Low
ran
ce W
Nu
ffield
Tru
st, 20
02
Conclusions Increased move toward maximum disclosure of information – utilisation
of proper and clear provision of information over the use of patient information
Consent as the first port of call, would overcome all obstacles – but is not necessarily required if exemptions are invoked (medical research exemption)
Specific information, however, must be provided to data subjects Personal information must be protected
– Kept confidential
– Anonymised (utilisation of Privacy Enhancing Techniques – PETs)
– Definitions of ‘anonymous; Where anonymisation cannot be achieved
– Require ethics approval
– Adequate safeguards in place to ensure safety Properly considered research policies Assistance of
– Ethics Committees
– Data Protection Commissioner
Other Options In certain limited circumstances for public health screening
reasons:– Health (Provision of Information) Act, 1997 (Cancer Registry)
– Allows passing of data from bodies to other bodies with permission of Minister of Health
Pass Similar legislation on a limited basis:– S60 Health and Social Care Act 2001, UK– Health Service (Control of Patient Information) 2002, UK – public
health patient data
this should done only with careful consultation: need to avoid panic reactions?
The Data Protection Acts 1988 and 2003: Implications for Medical and Public Health Research in Ireland (Health Research Board, 2007 – forthcoming)
This lecture or any of the information given therein is not
and should not be taken to be or relied on as legal medico-legal or
medico-ethical advice.
No reproduction or distribution
without prior permission of author
All Notes © Asim A. Sheikh BL, 2006
